Frida-Wshook – Script Analysis Tool Based On Frida.re

frida-wshook is an analysis and instrumentation tool which uses frida.re to hook common functions often used by malicious script files which are run using WScript/CScript.

The tool intercepts Windows API functions and doesn’t implement function stubs or proxies within the targeted scripting language. This allows it to support analyzing a few different script types such as:

.wsf (WSFile) (Initial support/testing. – Does not support specific jobs)

By default script files are run using cscript.exe and will output:

COM ProjIds

DNS Requests

Shell Commands

Network Requests

Warning!!! Ensure that you run any malicious scripts on a dedicated analysis system. Ideally, a VM with snapshots so you can revert if a script gets away from you and you need to reset the system.

Although common methods have been hooked, Windows provides numerous APIs which allow developers to interact with a network, file system and execute commands. So it is entirely possible to encounter scripts leveraging uncommon APIs for these functions.

Supported OSfrida-wshook has been tested on Windows 10 and Windows 7 and should work on any Windows 7 + environment. On x64 systems CScript is loaded from the C:WindowsSysWow64 directory.It may work on WindowsXP, but I suspect that CScript may use the legacy API calls and would bypass the instrumentation.

UsageThe script supports a number of optional commandline arguments that allow you to control what APIs the scripting host can call.